PCMech Forums - View Single Post

Felix · 01-29-2002, 01:54 PM

well there are different ways to make a firewall. the "easiest" is a packet filter, which just denies packets sent from wrong IP addresses or for wrong ports. However it is difficult to set up and thus there are better ways to make a firewall, of course requiring more computing power.

"Stateful Inspection" is one of the most powerful ways to protect you because the firewall checks whether a packet belongs to an outgoing connection (such as a HTTP request, or SMTP session, etc) or not, and blocks all that does not belong to an outgoing connection. This is what ZoneAlarm and other firewalls does. However, ZoneAlarm is a Windozze firewall proggram, and a Windozze Firewall program can't do any good...

Beside that, there are different ways to configure a firewall... you can allow everything except things that are forbidden, or you can forbid everything, except things that are allowed. Guess what is highly insecure...

The default setting of my Zyxel firewall is "block everything but outgoing connections". This seems to be a good setting, and also a good default setting. The rule applies also for packet filtering.

Regarding your test, James, it seems there were all Windozze firewalls tested. A Windozze firewall can't do any good... *sigh* Just let me ask one question: Who guarantees me that there is no security leak built in into Windows that allows a hacker to bypass a firewall program? And we are not yet talking about firewall errors at the moment...

If someone REALLY is looking for REAL security, in my opinion there is no way but a "black box" styled Firewall outside of a PC. - Well of course you can also make a lean, clean PC running some Unix flavour, using custom Kernel of course, and a hand crafted firewall programm that does fulfill your specific needs. (That's what they did at AT&T, read the book I mentioned.) But I guess this is wayyy too complicated and out of effort for the most of us.

01-29-2002, 01:54 PM	#21
Felix Member (10 bit) Join Date: Mar 1999 Location: Zurich, Switzerland Posts: 797	well there are different ways to make a firewall. the "easiest" is a packet filter, which just denies packets sent from wrong IP addresses or for wrong ports. However it is difficult to set up and thus there are better ways to make a firewall, of course requiring more computing power. "Stateful Inspection" is one of the most powerful ways to protect you because the firewall checks whether a packet belongs to an outgoing connection (such as a HTTP request, or SMTP session, etc) or not, and blocks all that does not belong to an outgoing connection. This is what ZoneAlarm and other firewalls does. However, ZoneAlarm is a Windozze firewall proggram, and a Windozze Firewall program can't do any good... Beside that, there are different ways to configure a firewall... you can allow everything except things that are forbidden, or you can forbid everything, except things that are allowed. Guess what is highly insecure... The default setting of my Zyxel firewall is "block everything but outgoing connections". This seems to be a good setting, and also a good default setting. The rule applies also for packet filtering. Regarding your test, James, it seems there were all Windozze firewalls tested. A Windozze firewall can't do any good... sigh Just let me ask one question: Who guarantees me that there is no security leak built in into Windows that allows a hacker to bypass a firewall program? And we are not yet talking about firewall errors at the moment... If someone REALLY is looking for REAL security, in my opinion there is no way but a "black box" styled Firewall outside of a PC. - Well of course you can also make a lean, clean PC running some Unix flavour, using custom Kernel of course, and a hand crafted firewall programm that does fulfill your specific needs. (That's what they did at AT&T, read the book I mentioned.) But I guess this is wayyy too complicated and out of effort for the most of us.