|
Posted by Mr. Arnold on April 7, 2008, 6:50 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>
> Hehe, I know what SW and HW firewall is, in pure IT terminology.
>
> For simplicity I called both HW FWs, as having dedicated device for
> their functionality, in opposite to so called PFWs.
>
> I know what the gateway computer is about,
> so do I know about all OSI or TCP/IP layers it works with.
> So Do I know NICs, obviously.
>
> Surpricingly, firewalls have nothing to do with NICs. They were here
> before computers have come. FWs safely separate 2 independent spaces
> for fire not easily gets from one to the other. What is the "space" and
> what is the "fire" can have high level of abstraction.
What? The traffic travels from the WAN to the LAN. That is traffic that's
let through the firewall, the trusted and untrusted zone. Whether it be two
NICS doing a (WAN/LAN) or the WAN/LAN on a FW appliance, traffic is
controlled between the interfaces, inbound and outbound, the trusted and
untrusted zones with a FW solution.
>
> Computers with NICs, separating networks are just one particular
> application of this idea.
> Dividing spaces inside and outside of computers is other application.
>
> But I agree with you, just for pure terminology reasons,
> it is unlucky call both of them firewalls.
> Neither do I like calling tea something not originated
> from Camelia sinensis.
>>
>> Comodo is not a FW. It's a machine level packet filter that protects at
>> the
>> machine level. It protects the services running on the computer at the
>> machine level. It does not separate two networks, like a FW does.
>
> "PFW" were packet filters lets say 6-7 years before. Now these would be
> horrible inefficient in protection. BTW some simple pure HW firewalls
> are not any better than these packet filters...
>
That's a NAT router for home usage. That's not a FW appliance.
>> Yeah, they got a lot of snake-oil in them trying to protect you from you
>> that it cannot do.
>
> Well, I can get through big corporate firewalls of our big IT company
> whatever I want. I would not be able to do it, if my workstation there
> would have modern PFW properly configured not to allow me it.
Look man, I was contacting my ISP's NNTP server on TCP 119 and POP3 TCP
110/SMTP on TCP 587 from my laptop at a client's site. First they told me
they didn't want me to do it, and then when I continued, they stopped the
connections via the company's network FW. So, please don't tell me that they
cannot stop you if they choose to do so. Whatever you're doing, they don't
view it as a threat that needs to be stopped. They stopped me last Friday by
setting FW rules.
So, are you going to sit there and tell me you have some kind of slick
little program that hidding your activities, and that the FW admin can't see
what you're doing? <g>
>>
>> >
>> > SW FW can be more easily compromized,
>> > but on the other hand, the have more chances
>> > to detect application hijacking
>> > and suspicious interprocess comunication.
>>
>> That's not a FW functionality. That's snake-oil in a personal so called
>> FW
>> or personal packet filter trying to protect you from you, that it cannot
>> do.
>
> It depends on what you mean by separating network.
> If this is not FW functionality, than they will be obsolete soon.
It never was a FW functionality. It's a snake-oil personal FW solution.
>
> There is no need to compromise or even attack FW ( where HW/SW ones are
> strong ), if you can persuade him.
We are talking about something like Commando that runs with the O/S. The O/S
can be fooled and so can the snake-oil PFW solution if malware can get there
and can be executed. It can punceh right through it.
> These days is so easy to bypass strong inbound protection of HW
> firewalls by other ways, relaying on weak human factor.
> And than, so easy to persuade firewalls that outbound traffic should be
> allowed.
So, what happens at the boot and login process when malware can beat the
PFW, run and communicate, before the PFW can run to protect the
connection? The O/S is not waiting for the PFW before the connection is make
available? The 3rd patry PFW is not an intergrated solution.
>
>> However, if the O/S on a gateway computer is stripped of all software and
>> services that could lead to a compromise of the gateway computer, it's
>> just
>> as secure as a hardware solution.
>
> No point to disagree here.
| 
XML site map