I thought i was the only one....

[Apex]

but it seems there are others out there that believe we ar fed FUD over security.

http://support.metronet.co.uk/security

Now this is based on opinions, i do not see my self has a security expert at all just a informed user

[djand]

I've been running Linux for over ten years now, don't regret it a bit. Many games run well too, like Americas Army (running native) and with cedega quite a few win32 games run very well.

Still, Windows does have its place: Removing viruses and spyware can pay fairly well.

[Paul Adams]

Using a router completely removes the requirement for a personal firewall...

I hate it when I see statements such as this.

A (NAT) router will protect your LAN from connections originating from the Internet, but it will not stop your machines making outbound connections to wherever they like without your knowledge.

So no, routers (and routers with built-in firewalls) do not negate the purpose of personal firewalls at all - and P2P. VPN or VoIP users may disagree after they have a nightmare of a time trying to set up port forwarding and disable SPI.

Anti-Virus software is a joke on personal computers; the only place worth installing it is on an e-mail server. Its logistically difficult to keep a large number of computers all in synchronisation with a central server; besides anti-virus signatures only become available after several people have been infected and after the company has had time to analyse and produce the signature.

Where to begin... I worked for a building society with around 1000 users and all Internet access was through proxy servers with Sophos AV running.

When we heard about Code Red, Nimda et al we started to have a look around at sites that had been infected - and managed to get a worm downloaded onto a client which the local AV detected and squished.

Without both layers of AV, even using a proxy server, we might have had an infection on the corporate LAN - so I will continue to argue that AV has its place and it is not difficult to keep the virus definition files up to date for either Sophos or McAfee (in fact Sophos updates were triggered by the email alert so it updated itself within minutes of new signatures).


The theme of the FAQ appears to be "if it's not a 100% solution in all cases at all times then it has zero value".
Well cars get stolen every day (few minutes? hours?) even with cunning alarms, immobilisers and locks - do we ditch these too as they aren't 100% foolproof?

Reads a bit like a rant from a support guy that had one too many "half clued-up" customer calls to me.

[ikonia]

Paul Adams.....such suckers who believe routers replace firewall as the suckers that use windows and ms office. Allow them to suffer for their ill-guided decisions

[nichomach]

Where to start with this...

"Personal firewalls do the full port ‘stealth’ing and ping blocking to pretend that they are increasing your level of security, but in reality if they simply just ‘closed’ all your ports to the outside world then you would be just as secure (if not more so)."

Which is precisely what decent (and free) personal firewalls do, in addition to filtering outbound traffic, which even most SPI-capable routers don't.

"Personal firewalls are infamous for breaking more than they fix..."

Nothing like a sweeping statement without any evidence to really enlighten people. So how come all my users who didn't have a personal firewall on their home machines got Blaster-ed and Sasser-ed to death, while all the ones with Zonealarm remained unscathed?

"Its now becoming very much standard process amongst the support team to make sure the user has their firewall software disabled (or even uninstalled as often disabling is not enough) at which point the users connection suddenly bursts into life. "

Trans: We can't be bothered advising you as to a decent personal firewall, so we'll just tell you to turn yours off - after all, if you get hit by Sasser or a blaster variant, it's not OUR machine...

"Using a router completely removes the requirement for a personal firewall"

As Paul says, it'll deal with inbound connections, but not outbound ones.

"For example if you are running Windows 98/ME/2k/XP/2k3 then you should run Microsoft Windows Update at least once a day, you can even configure it to actually inform you when there are new updates available."

Yes, those are called Automatic Updates which the SP2 that they spend so much effort decrying turns on by default.

"Firewalls on workstations is a pointless exercise when deployed as the only form of protection from the Internet."

Oh, agreed, absolutely, as penetrating an insight as saying that crossing your fingers doesn't protect you from bubonic plague.

"If a trojan/virus/worm installs its-self on your computer it can with great ease disable the firewall completely or only enough so that it can carry out its actions"

Yes, that's why you run antivirus software and keep it up to date, a process that can be completely automated, even in free AV like AVG.

"Anti-Virus software is a joke on personal computers..."

I'm so glad they told me that - I must have imagined the vaporisation of those nasty little virii that people bring in on floppy disks, CDs that a mate gave them etc. etc...

"the only place worth installing it is on an e-mail server."

This is such bull****; one, because of those floppies and CDs, and two, because it ALSO works handily on a proxy server to filter and scan downloads.

"Its logistically difficult to keep a large number of computers all in synchronisation with a central server"

Not really; using tools such as McAfee's ePolicy Orchestrator or even having a central management server (we use Symantec) it's not logistically difficult at all. In fact I can automate the process completely. Works for me.

"besides anti-virus signatures only become available after several people have been infected and after the company has had time to analyse and produce the signature."

Which is why most AV packages have heuristics built in to detect unregistered viruses - and for all they talk about "A new virus is produced every hour", the vast majority of those are variants of existing strains which heuristics are highly likely to pick up. And THEY whine about FUD?

I also love the bit about "research has been done that showed you need at least two or more anti-virus products installed". Of course, the research in question was carried out by GFI whose major selling point for their mail scanning software is that, guess what, it uses multiple scanning engines. I don't have anything against GFI, they make some good products, but to cite this as "research" is like using the Cillit Bang! commercial as a science lesson.

Essentially this article argues that because each security package doesn't defend against all known threats, then they are all worthless and should be discarded. This is just stupid. Of course a firewall won't help you if you download a virus or run a malicious attachment from an email; and antivirus software won't help you against a direct network based attack. Neither is designed to do those jobs; you use a layered defence.

To borrow a friend's analogy, it's like a castle; you have a curtain wall to defend you against frontal assault (your firewall) and cauldrons of boiling oil handy in case someone leaves a gate open (your AV software).

edit: I don't count myself as a "security expert", but it seems to me that this little rant is as ill-informed and damn near as self-serving as the GRC stuff it attacks. And these people are advising customers? Why don't we have a "shudder" smiley? Mods, please note...

[ajbrun]

After posting that i'd got a new firewall router, and might need help with networking and the firewall, i pomptly got a PM. I'm not going to name this person, but i will say i nearly followed his advice. He said i could now turn off my firewall. I haven't done because i think having 2 i safer thn 1. That person will proberly read this, and no offence, but i would have thought it to be safer my way (unless you can back this up).

[Apex]

Reads a bit like a rant from a support guy that had one too many "half clued-up" customer calls to me.

It does say that at the top of the page thought