DracoFelis
Premium
join:2003-06-15
| reply to rosco
Re: Good enough for me
I personally found this article very misleading, to the point of "crying wolf" (and having just plain FALSE info). While I agree that you don't just put in a "consumer firewall" and expect you are protected from everything out there, they can be a very effective form of defense.
Consider:
1) My SMC Barricade+ (SMC7004FW) does have "stateful packet inspection", as do a number of other "home firewalls". Yet the article claims that this feature is only in "business firewalls".
2) The article claims that "home firewalls" only provide "security though obscurity", but won't actually stop any attacks once someone knows about you. Yet my "home firewall" has protected me from some very serious worms, until I got a chance to patch the Windows box behind it! And I've even tested the firewall by having the "computer security officer" (at my office) "port scan" my box! Sure enough, the ports were blocked from the internet (and the "security officer" has taken classes in "hacking techniques" to better know how to protect against them, so he knows how to check for vulnerable computer systems)!
3) The article claims that home firewalls generally allow "outbound connections" (true), and for "maximum protection" you should start with disallowing everything and only "open up ports" if/when needed (also true). But then the article goes on to say you need a "business firewall" for this protection, which is clearly false! With many "home firewalls" you have the option (if you think the extra security is worth the extra hassle setting things up) to block outbound connections as well! For example, I have my "home firewall" setup to block outbound attempts to use the MicroSoft "filesharing ports", as a way to protect myself against rogue web sites stealing the username and "password hash" for my logged in account! The article seems to claim this isn't possible with a "home firewall"!
4) The article claims that "dial-up users" are reasonably safe from attack (without protection), yet I've seen several cases of dial-up users getting hit by internet worms, often within a few minutes of being connected (especially if/when a virulent worm is currently "on the loose"). While dial-up is slower, and not always on, they are still very vulnerable while they are connected unless they are "protected"! OTOH: My "always on" DSL connection is sitting a lot safer behind it's "home firewall" than any dial-up user!
5) The article mentions that if someone is just using one of these "home firewalls", they are still vulnerable to attacks. I agree with this. One easy example is email based viruses (which will go right past any firewall). But this is also true of "corporate grade" firewalls too! In both cases, anti-virus scanning of your emails is a good idea (and yet the article doesn't make this distinction, and just implies that this is a problem with "home firewalls", vs an inherent limitation of all firewalls)!
All things considered, I have to wonder about the "security experts" that wrote that article! IMHO they either "don't have a clue", or are deliberately "misleading the public" to sell their own "solutions". Either way, I plan to never do business with these turkeys.... |
