Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#13 2006-11-23 19:55:25

marios
Archived Plugin Author
Registered: 2005-03-12
Posts: 1,253

Re: firewalls

Not directly related, but thought to mention on this topic. I keep on wondering , why people don’t use an encryption scheme for their e-mails correspondence.
Most people just don’t seem to bother, that anyone who wanted to , can read their correspondence, and along with that things like login-infos or just any other private communication, that others could easily exploit if they wanted to.
Setting up GPG isn’t at all too difficult and available for all OS’es.

(Also I don’t trust Skype is safe to use)

regards, marios


⌃ ⇧ < ⌃ ⇧ >

Offline

#14 2006-11-23 21:04:12

jameslomax
Member
From: UK
Registered: 2005-05-09
Posts: 448
Website

Re: firewalls

hakjoon wrote:

I have an old free version of Tiny Personal Firewall that I use and absolutely love. It was recommended by some security guys I knew. Tiny’s been gobbled up by CA and I haven’t really used the newer versions but the old version I have does everything and has a tiny memory footprint that caused no slowdows compared specially compared to Zone Alarm.

I’m fond of it myself – it was changed to a ‘Kerio’ version, but was the same product. You can still get it here

Offline

#15 2006-11-23 21:07:25

jameslomax
Member
From: UK
Registered: 2005-05-09
Posts: 448
Website

Re: firewalls

Sencer wrote:

bq. I have an old free version of Tiny Personal Firewall that I use and absolutely love.
Hah, I used to use that as well, for years after it disappeared for download. The problem with outdated software is that securit issues that eventually always arise tend to go unfixed, esp. with closed source software. Therefore I wouldn’t recommend to keep on using it anymore (even though it hit a sweet spot between features and simplicity and was free and easy to use).
Personally I stopped using any kind of firewall on the desktop. The only kind of firewall that I find is more useful than it is hurtful, is dedicated firewalls, ie.e sitting on distinct machines. Several reasons for that:

  • there’s been several demonstrations and exploits where the firewall itself was what opened up the door for hackers to get access to the machine in question. The more complex a piece of software gets (i.e. the more features it acquires) the more likely it is to contain bugs. And most desktop firewalls clearly are trying to do too much.
  • On most desktop systems you do not need many applications that even listen for incoming network connections, as long as there are no services listening (i.e. no ports open), a firewall has zero benefit, and only worsens the net security (as you now have the firewall sitting there and listening and working with all incoming traffic)
  • You cannot prevent outgoing traffic. That’s simply a fact. Sure all firewall products allow you to make complicated rules for which programs and/or which ports can connect to the outside world, but that only stops very primitive attempts to communicate to the outside. It would only stop software that you trust to respect your wishes in the first place – and that kind of software is likely to let you allow to configure what it does anyway. Desktop-Firewalls can certainly not stop malicious software from communicating to the outside. The options to circumvent firewalls range from tunneling traffic through other applications/protocols, to simply adding malware to the trusted software list of the firewall or simply turning off the firewall (when malicious software acquires the necessary rights) etc. etc.
  • The expertise needed to properly configure a firewall, inherently requires you to have knowledge of what services/software are running on your system in the first place. But at that point you hardly have any benefit from it in the first place.
  • New/additional risks from using a firewall are [wrongly] inflated sense of security/invulnerability. Bugs/potential Exploits in the firewall itself as outlined above, and (often) the hassle of dealing with using and maintaining them.
    Instead of using firewalls, my recommendation would be to always keep all software on the desktop up-to-date with all patches, at least all software which in some way accesses the network, or is reachable via the network, which is certainly the OS, browser/mail programs and potentially a couple of other programs. It’ also a good idea to read their respective manuals for how to configure them in a secure way. Never use outdated, unmaintained software with network-access.

Ack. Not encouraging.
But what about the way a firewall can/does block unwanted use of .dll files, for example? – surely, that’s only a good thing? – they don’t just block applications; they do more than that…..

Offline

#16 2006-11-23 23:05:49

Sencer
Archived Developer
From: cgn, de
Registered: 2004-03-23
Posts: 1,803
Website

Re: firewalls

But what about the way a firewall can/does block unwanted use of .dll files, for example? – surely, that’s only a good thing?

You tell me. Is it? In what scenario is this helpful, and does it prevent certain kinds of negative things from happening all together, or does it just remove one attack vector where there are many, many more to choose from? A .dll bundles some functionaltiy and provides a documented way to access it. THe real problem with “unwanted use of .dll files” is that there is apparently code running that you rather wish would not be running, whether or not it’ll achieve it’s goal via this .dll, or that programm, or “built-in functionality” of the code that’s running is often not all that relevant. I guess it’s possible to construct situations where preventing program X from using .dll Y is in fact helpful and just what you need, I just doubt that for most people that will be the case.

Offline

#17 2006-12-03 19:27:16

NyteOwl
Member
From: Nova Scotia, Canada
Registered: 2005-09-24
Posts: 539

Re: firewalls

Torrent works fine through my firewalls. NAT is not intended as a firewalling system though it’s commonly touted as such.


Obsolescence is just a lack of imagination. / 36-bits Forever! / #include <disclaimer.h>;

Offline

Board footer

Powered by FluxBB