A reason NOT to have a software firewall

[Steve]

http://slashdot.org/article.pl?sid=04/03/21/0023254

Some people will know I say you don't need a s/w firewall if you have a hardware one and others argue that it provides another layer of protection.

Well, aside from my arguments that they take up resources, are a pain to set up properly and once fiddled with to get the network working aren't secure anyway, there's now another reason, as highlighted in the above /. article.

Of course, it is still down to the individual as to whether the risks outweigh the possible security benefits.

[Paul Adams]

It is worth noting that this particular worm is exploiting a vulnerability in the intrusion detection system (IDS) side of BlackICE, not any traditional "firewall" feature.

This is also one of the reasons I always recommend a modular IT environment - dedicated machines for specific jobs, I would never use a PC as a "hardware" firewall for example, and I prefer separate products for AV, IDS, port filtering, ad filtering, spyware removal, etc.

Even though I use Zone Alarm Pro, I turn off all those "privacy settings" controls and let AdSubtract take care of that as a dedicated role - and this is exactly why I moved away from BlackICE years ago as I don't believe IDS has any part to play in a firewall (even though this is becoming the trend for SOHO firewalls from some vendors I believe).

That said, I now have to go and patch all my IDS network sensors before one of them gets blown up
(Though I do keep Ghost images of all our servers so it wouldn't be that catastrophic at work.)

[afraser2k]

More information on this at The Register. Agnitum Outpost firewall allows me to block all other TCP and UDP traffic if I haven't set rules for an application already. It really depends on the random port nature of the worm and infected software firewalls.

[Kezzer]

Or do the other thing. Get a 486, install IP-COP on it, there you go, a nice linux OS which is dedicated for routing and has a nice Linux firewall on it. Typically a text based OS although if you access it through a local machine you can intereact with it graphically. Problem sorted

[MrFlibble]

I sit behind a Linux gateway with a good strong iptables script, so that takes care of pretty much everything. I do have NAV on all the client machines though, it's an added layer of protection, and besides, iptables can't protect the windows clients from when some divvy gives you an infected CD!

Kez - you can run VNC on the Linux server and that way interact with it graphically from the comfort of your windows machine by running a virtual desktop. I don't do it meself, I'm a command line freak, but I know lots who do.

[Steve]

Kez - you can run VNC on the Linux server and that way interact with it graphically from the comfort of your windows machine by running a virtual desktop. I don't do it meself, I'm a command line freak, but I know lots who do.

The Linux box does not have X on it nor do I want to install it - I'm happy as Larry with a SSH connection and the web interface.