Full Disclosure mailing list archives
Re: PC Firewall Choices
From: greybrimstone () aim com
Date: Thu, 19 Jan 2006 13:22:53 -0500
All very good points. I am not certain as to how viable of an option this "idea" would be, but what about a totally R/O firewall after configuration? Incorporate some sort of memory protection into that, such as stack and heap protection. You'd then have a pretty secure firewall... but then again... if its passing traffic to an insecure box... you're screwed anyway.
-Adriel -----Original Message----- From: Juliao Duartenn <juliao.duartenn () oblog pt> To: greybrimstone () aim comCc: Valdis.Kletnieks () vt edu; me () n33t org; full-disclosure () lists grok org uk
Sent: Wed, 18 Jan 2006 10:28:51 +0000 Subject: Re: [Full-disclosure] PC Firewall Choices On Tue, 2006-01-17 at 23:33 -0500, greybrimstone () aim com wrote:
Thats assuming that malware isn't being designed for that firewall.
I'm
sure you already know that software is software regardless of the hardware that it is running on. Likewise a vulnerability is still a vulnerability... I suppose you could r/o the system... but you need to write the confs somewhere right? -Adriel
Configuration on a hardware firewall is usually a pretty stable thing - you don't go around opening ports at random every day, now do you? Most modern {linux|bsd} firewall implementations can now run from a read-only device, namely CD-ROM, and also write their configuration to a removable device that you can manually set RW or RO - floppy, USB pen, etc. Of course, since most implementations mount parts of the filesystem into RAM, you're still vulnerable to attacks, they are merely non-permanent, if you reboot you are clean again, albeit with the original hole still present, i'd say. There are, of course, solutions for that too, but I still haven't seen one that really works - meaning that it can detect and prevent tampering in real-time. The best thing I can remember is running tripwire against a RO database on CD, but that can still be tampered with. Any thoughts? Juliao
-----Original Message----- From: Valdis.Kletnieks () vt edu To: Nick Hyatt <me () n33t org> Cc: full-disclosure () lists grok org uk Sent: Tue, 17 Jan 2006 21:08:39 -0500 Subject: Re: [Full-disclosure] PC Firewall Choices On Tue, 17 Jan 2006 18:59:52 MST, Nick Hyatt said: > Given the choice between one of those selections and a standard Linksys> router / firewall combo, wouldn't it be safer to go with the
hardware
> firewall? I find the configuration options to be quite a bit more in-depth, > and the hardware firewall doesn't get itself as stuck in the system as say, > ZA does.Even more important, a hardware firewall can't be compromised as
easily
by malware that's on a host behind the firewall. It's easy for a programon a PC to tell ZA to look the other way. It's a little harder for
it
to tell a hardware firewall to look the other way.Unless of course, the firewall implements the UPnP "Pants Down!"
RPC..
;)
________________________________________________________________________Check Out the new free AIM(R) Mail -- 2 GB of storage and industry-leading spam and email virus protection.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Re: PC Firewall Choices, (continued)
- Re: Re: PC Firewall Choices Valdis . Kletnieks (Jan 19)
- RE: PC Firewall Choices Nick Hyatt (Jan 17)
- Re: PC Firewall Choices Valdis . Kletnieks (Jan 17)
- RE: PC Firewall Choices Nick Hyatt (Jan 17)
- Re: PC Firewall Choices Valdis . Kletnieks (Jan 17)
- Re: PC Firewall Choices Michael Silk (Jan 17)
- RE: PC Firewall Choices Nick Hyatt (Jan 17)
- Re: PC Firewall Choices greybrimstone (Jan 17)
- Re: PC Firewall Choices Juliao Duartenn (Jan 18)
- Re: PC Firewall Choices Joachim Schipper (Jan 18)
- Re: PC Firewall Choices greybrimstone (Jan 19)
- Re: PC Firewall Choices John LaCour (Jan 18)
- RE: PC Firewall Choices Very Unprivate (Jan 17)
- Re: PC Firewall Choices greybrimstone (Jan 17)
- Re: PC Firewall Choices Nancy Kramer (Jan 18)
- Re: PC Firewall Choices greybrimstone (Jan 19)
- Re: PC Firewall Choices Stan Bubrouski (Jan 19)
- Re: Secure Delete for Windows sk (Jan 17)
- Re: Secure Delete for Windows Yvan Boily (Jan 17)
- RE: Secure Delete for Windows y0himba (Jan 17)
- Re: Secure Delete for Windows Jason Coombs (Jan 17)