Avira's firewall
in [Firewalls]
|
From: Grant Taylor on 11 Apr 2010 13:51 Ansgar -59cobalt- Wiechers wrote: > Actually, no. It's a rather stupid question. A good question would > be: why would anyone in his right mind insist on HAVING a sofware > firewall on a server? I would say that part of the problem is the "insistence" of having (or not) a software firewall, with no possibility of the other. I will argue that a software firewall is just another form of security. (I'm not going to debate how good of a form of security it may or may not be.) Like most good over all security systems, security is provided in layers of multiple smaller forms of security. With this in mind, the software firewall on a server (or any thing for that matter) is another layer of security. Thus if the server has the resources to run the software firewall and it is not a detriment to the function of the system, then it's probably ok to have it there. If the server does not have the resources to run the software firewall or if it is a detriment to the function of the system, then don't run the firewall unless you really need to. In short, it is situational dependent. > Open ports on a server need to be open, because otherwise the server > would be unable to provide its services (which would render it rather > futile). You cannot block access to ports that need to be accessible. There are some advantages to running a firewall even on ports that you need to have open. Some services don't have any ability to filter what IP addresses are allowed to talk to them. Or there are some cases where it is appropriate to centrally manage a firewall across multiple systems rather than having to manage each service on every system. I think it really comes down to where does a software firewall fall in your over all security scheme. If you feel your organization can benefit from it, then use one. If you feel a software firewall is not appropriate for your organization, then don't use one. I personally view software firewalls as an additional line of defense to protect against outbreaks behind the edge hardware firewalls. Grant. . . .
From: gufus on 11 Apr 2010 15:34 Hello, Grant! You wrote on Sun, 11 Apr 2010 12:51:03 -0500: | I think it really comes down to where does a software firewall fall in | your over all security scheme. If you feel your organization can | benefit from it, then use one. If you feel a software firewall is not | appropriate for your organization, then don't use one. | | I personally view software firewalls as an additional line of defense to | protect against outbreaks behind the edge hardware firewalls. | Excellent policy IMHO | -- With best regards, gufus. E-mail: stop.nospam.gbbsg(a)shaw.ca
From: gufus on 11 Apr 2010 15:58 Hello, Ansgar! You wrote on 11 Apr 2010 12:46:15 GMT: FL> >> i have heard that recommendation many times and do not dispute it, FL> >> but assuming that the s/w firewall comes up first during boot up, FL> >> WHY would you insist on not having a s/w firewall on a server? FL>> FL>> Good question. | | Actually, no. It's a rather stupid question. Hu.. :( -- With best regards, gufus. E-mail: stop.nospam.gbbsg(a)shaw.ca
From: gufus on 11 Apr 2010 16:18 Hello, schtebo! You wrote on Thu, 8 Apr 2010 04:50:02 -0700 (PDT): | I think default Firewall from Microsoft should do it for us all. Taking notes... <grin> -- With best regards, gufus. E-mail: stop.nospam.gbbsg(a)shaw.ca
From: Ansgar -59cobalt- Wiechers on 11 Apr 2010 16:52
Grant Taylor <gtaylor(a)riverviewtech.net> wrote: > Ansgar -59cobalt- Wiechers wrote: >> Actually, no. It's a rather stupid question. A good question would >> be: why would anyone in his right mind insist on HAVING a sofware >> firewall on a server? > > I would say that part of the problem is the "insistence" of having (or > not) a software firewall, with no possibility of the other. > > I will argue that a software firewall is just another form of > security. (I'm not going to debate how good of a form of security it > may or may not be.) Like most good over all security systems, > security is provided in layers of multiple smaller forms of security. > With this in mind, the software firewall on a server (or any thing for > that matter) is another layer of security. Oh *please*, spare me that "layers" bullshit. Personal firewalls do not increase the security of a server. They increase the attack surface (larger codebase, thus most likely more vulnerabilities) and the overall complexity of the system, and thus actually *lower* your security. [...] >> Open ports on a server need to be open, because otherwise the server >> would be unable to provide its services (which would render it rather >> futile). You cannot block access to ports that need to be accessible. > > There are some advantages to running a firewall even on ports that you > need to have open. Some services don't have any ability to filter > what IP addresses are allowed to talk to them. That's what you already filter at the network boundary. No need to filter yet again on the server. > Or there are some cases where it is appropriate to centrally manage a > firewall across multiple systems rather than having to manage each > service on every system. And managing firewalls centrally instead of managing services centrally is more appropriate, how? > I think it really comes down to where does a software firewall fall in > your over all security scheme. They don't. Period. cu 59cobalt -- "If a software developer ever believes a rootkit is a necessary part of their architecture they should go back and re-architect their solution." --Mark Russinovich |