RE: FYI: FW: [fw-wiz] Re: Home/SOHO "Firewall" Routers

"Thomas W Shinder" <tshinder@xxxxxxxxxxx> · Tue, 15 Jun 2004 21:59:56 -0500

Hi John,

The problem is there are only two reasons why you would need a
"hardware" firewall:

1. You need fast packet passing
2. You need the router functionality 

The thing is, "hardware" firewalls are pretty weak when it comes to true
firewalling. The hardware firewall fans are still thinking of "opening
ports" when the port based approach is no longer valid when it comes to
protecting the network. You need stateful application layer inspection,
strong user/group based authentication for all inbound and outbound
connections, and the ability to adapt to threats based on more than the
dumb*ss approach of "closing a port (like the moron ISP's are using to
DoS legitimate secure Exchange RPC connections by blocking TCP 135).

"Hardware" firewalls have a place, but is more of a processor offloading
for the real firewall, like ISA Server 2004.

Check out:
http://isaserver.org/articles/2004tales.html

For details.

Thanks!
Tom

Thomas W Shinder
www.isaserver.org/shinder
ISA 2004 Beta - Get it now!
http://www.microsoft.com/isaserver/beta/default.asp
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

-----Original Message-----
From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] 
Sent: Tuesday, June 15, 2004 8:57 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FYI: FW: [fw-wiz] Re: Home/SOHO "Firewall"
Routers

http://www.ISAserver.org

One thing I can say, a true hardware firewall, not some lower grade
want-to-be-all router with added firewall functions, are always a better
choice if you truly need a hardware firewall.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You

> -----Original Message-----
> From: Greg Mulholland [mailto:gregstelatel@xxxxxxxxxxx]
> Sent: Tuesday, June 15, 2004 6:14 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: FYI: FW: [fw-wiz] Re: Home/SOHO "Firewall"
Routers
> 
> http://www.ISAserver.org
> 
> Tom, I can say my hardware routers/firewall boxes have given me more
trouble
> than I care to mention. Someone once told me they weren't susceptible
to
> exploits like a software firewall was, hmmmmmmmmm
> 
> 
> Greg Mulholland
> "Firmware Upgrader"
> 
> 
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, 16 June 2004 11:08 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] FYI: FW: [fw-wiz] Re: Home/SOHO "Firewall" Routers
> 
> http://www.ISAserver.org
> 
> Repeat after me: "hardware" firewalls are more security than software
> firewalls, hardware firewalls are more secure than software
firewalls....
> 
> (you get what you pay for too):
> 
> 1. Linksys WiFi Gateway Remote Attack Risk Slashdot URL:
> <http://tinyurl.com/yuh8j>
> 
> "According to InternetNews.com, a tech consultant discovered that even
if
> you turn the remote administration feature off on a Linksys WRT54G --
the
> single bestselling Wi-Fi device in the world -- you can still remotely
> access it through ports 80 and 443. Linksys sets the HTTP username to
> nothing and password to 'admin' on all of its devices by default. Web
site
> scanning from anywhere in the world to devices that have routable
> Internet-facing addresses would allow script kiddie remote access, at
which
> point you could flash the unit with new firmware, extract the WEP or
WPA
> key, or just mess up someone's configuration and change the password."
> 
> 2.  Netgear's silly fix for Netgear Router backdoor Slashdot URL:
> <http://tinyurl.com/2ffcf>
> 
> An anonymous reader writes "Recently Slashdot reported that the
Netgear
> router has as WLAN backdoor. According to this report by the news
service
of
> the German publisher Heise Netgear "fixed" the problem with a firmware
> update. And what is the fix? According to Heise, they didn't remove
the
> backdoor at all. Instead they just changed the login information! They
> replaced the old user name 'super' with 'superman', and changed the
old
> password to '21241036'. "
> 
> 3. Benkin Routers route user to Censorware Ad Slashdot URL:
> <http://tinyurl.com/ysdd4>
> 
> The Register has a story today about Belkin routers redirecting their
users'
> network traffic. To me, this seems like the logical next step after
> top-level domain name servers piping ads to your browser. Now the
routers
> themselves hijack the traffic they are supposed to, uh, route -- and
you'll
> love where they send you instead. But it's OK because you can opt out.
> Incidentally, the Crystal Ball Award goes to Seth Finkelstein, who in
> 2001 quoted John Gilmore's famous aphorism about the internet, and
asked
> "What if censorship is in the router?"
> 
> _Vin
> 
> 
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@xxxxxxxxxxxxxxxxxx
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading
> Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
> Security Resource Site: http://www.windowsecurity.com/ Network
Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> gregstelatel@xxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> johnlist@xxxxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist

Other related posts: