http://us.kensington.com/html/6493.html

Damn cool.

What is this supposed to do? All I can find is "OMG protects ur computa from 3v|1 h4x0rz!!!!1111"

It's a standard software firewall - port controlling, program permissions, etc. Furthermore, the drive has a physical write protection switch, so hackers can't hack the firewall and write their own exceptions.

wtf is up with trademarking the phrase 'digitally active'? dumb.

It says for Notebooks, I assume it can be used for desktops?

I would never use it. Looks like just a hype product for so-called "mobile professionals" who are really business people with no clue.

Software firewalls suck. Period.

[QUOTE=Dj Yoshi]Software firewalls suck. Period.[/QUOTE]

Why?

They don't work.

Software vs. Hardware Firewalls.

Hardware firewalls are just specialized machines running firewall software. They are no different from a software firewall. Personally, I'd rather have a machine running pf instead of a "hardware" firewall any day. :p

[QUOTE=Dj Yoshi]They don't work.[/QUOTE]
Wow, you've got me convinced. I can't argue against that.

Good read using Mentat's google link: Firewall

According to my cyber security professor, who has more than 20 years of experience as a CITO, it works just dandily.

On the argument of hardware vs. software: get both. You'll be better off. If you've got budget constraints, you go with hardware, of course - faster and stronger protection. But that doesn't mean that having two or three software firewalls is a bad idea.

What would be the benefit of running a software firewall in addition to this, assuming I'm not paranoid? :p

The 802.1x authentication definitely puts you a step above the typical home router. The built-in firewall will do fine for a SOHO network. However, putting a (good) hardware firewall between the router and a switch won't hurt.



Hardware firewalls are faster and more secure than software firewalls. I'd rather have a hardware firewall than a software firewall running any day of the week. Of course, I'd rather have both the software AND hardware firewall running.

I always thought it would be fun to use a public computer (i.e. Library) put a keylogger on it, come back in a week, gather the logs, and run away with God knows what amounts of personal info. :p

$$$$$

I would run just pf on an OpenBSD box (the computer it is running on would be the hardware). Running both would probably be overkill. However, I prefer having the flexibility of pf on a solid OS than some cheap "hardware" firewall. The only real disadvantage is that a computer takes up more room and resources than a router does.

Software firewalls have the disadvantage of being run on top of a workstation which itself can be exploited. But if you lock things down pretty good, it won't be a problem for even large, small businesses. Certainly more effective than cheap hardware firewalls in cable "routers." A REAL hardware firewall solution will cost much, much more.

Of course, Linux router box > all solutions (except that Kerio $600 firewall, that's flippin insane)

[QUOTE=Cool Matty]Of course, Linux router box > all solutions (except that Kerio $600 firewall, that's flippin insane)[/QUOTE]
Not really. For a Linux firewall using iptables to be effective, the user must really know what they're doing. Which excludes just about all your typical Linux zealots who go around touting the benefits of iptables without having much real experience with it. Ahem.

The guy totally forgot to mention that any virus or trojan running on your computer can configure the firewall to it's liking or find out which program is allowed and use that.
Plus a running software firewall hightens the exploitable code running on your machine, thus making it more vulnerable. Not less.

Unless you have decent anti-virus software.


How about a real explination instead of a regurgitated blanket statement which may not apply in any real world situation?

Which can also only warn you if it finds a virus it knows.



This was the first English link I found: http://www.eeye.com/html/Research/Advisories/AD20040423.html
There have been others and there will be others. Almost every piece of software has flaws. So keeping the running software to a minimum reduces the risk of being exploited.

The other real disadvantage is that I already have the router.. :p

Just because people don't know how to use something doesn't make it any less effective :p

Eh...yes it can..

You have to get one first. If you already have a virus or trojan, does the type of firewall even matter? Your defenses have already failed at that point.



Oh, so "hardware" firewalls don't have any exploitable code in their firmware? I mentioned running OpenBSD, which probably has much less exploitable code than any "hardware" firewalls out there.

What? The whole point of anti-virus is to REMOVE viruses. Any decent piece of anti-virus software can be setup to automatically quarantine or clean infected files.


Actually, dedicated hardware firewalls, i.e. NOT broadband routers and home firewalls are still a good bit better. I'm talking real commercial level stuff, e.g. Cisco. I worked with some basic Cisco 2500 routers a few years back and even those were pretty hardened. The hardware and firmware are designed specifically for being a firewall, so it's definitely much tighter. You can, theoretically get a software firewall to be as secure, but it's going to take a lot more time, effort and knowledge than purchasing a dedicated hardware firewall. Obviously it's better for SOHO solutions because of cost, but for anything enterprise, you do want hardware.

First: "Symantec has released a patch for this vulnerability. The patch is available via the Symantec LiveUpdate service."

Secondly, if someone has made it past your hardware firewall, you'd rather leave yourself completely open to any attack instead of at least trying to come up with a secondary defense?

Yes, that's the point I'm trying to make.



True, but it's also possible to run without any form of packet-filter at all. Just tighten down your services. That can be a pain in the donkey with Windows, but it's not impossible.
Then there's the physical seperation of a hardware and software firewall. If the hardware firewall has a flaw that allows others to execute their code on it only the hardware firewall is affected. With a software firewall it is your machine that's then infected.




That was just one example, to bring the point across that every software has flaws. If there is no use in running a software than all it does is lower your overall security.



Nope, I'd also tighten down my services so that only those are running that I need. Those would have had to have an exception rule in a software firewall anyway and everything else that isn't running can not be exploited.




OK, that is true. As long as the virus scanner keeps the virus from being executed it can do its job.

Are you familiar with the concept of defense in depth? Multiple points, multiple means, central point of responsibility (though in the case of a personal PC, there's only one point of responsibility). Tighten your services, put up a hardware firewall, put up a software firewall, don't open suspicious e-mails - i.e., I'm not saying that a software firewall alone will protect your computer. Good hardware and good security practices will. But software firewalls are a useful tool when creating a good layered security system for your personal PC.

What does it do that I can't accomplish with stopping unneeded services?
I want to lower the codebase, not heighten it.

So what happens if you want to limit a service to a particular group of hosts, i.e. your LAN? How about stopping attacks on ports of legitimate services which you NEED running? How about closing up stray ports you may not even know are vulnerable to attack?

1) To stop something from getting outside of the LAN there is the packet filter in the router. You can also configure every service to listen only to connections from your LAN (at least in Linux, don't know about Windows).

2) If I need something to be running with an open port to the internet I'll also need to add an exception in the firewall for it to properly function.

3) If I don't know if a software opens a port I shouldn't be allowed to use my computer.


I admit that if you absolutely need a service that absolutely resists all attempts to bind it to localhost or your LAN you need a host based packet filter. But I haven't come across such a service. And for packet filtering the Windows firewall will do its job.

Yes, those would be ideal conditions. And perhaps for you, you don't need a software firewall. Conditions are hardly ideal, and a good software firewall is often much more affordable than a good hardware firewall.

I've had firewalls (none of which were the Windows XP firewall) catch Windows Solitaire trying to access the Internet, for whatever reasons it may need to. And I wouldn't have known about it because Solitaire has no reason to have networking functionality. So, does this mean I shouldn't be allowed to use my computer, because I didn't know that Solitaire would need a port open?

Software firewalls are a useful tool for those of us who know that a system can not be functional and 100% secure at the same time. You're leaving yourself that one bit less-defended by running without a good software firewall. Software firewalls can and do stop DoS attacks - Norton caught and stopped a DoS that took down my cable provider's nameserver. The Windows firewall wouldn't have done that, and the SPI firewall in my router wouldn't have done that.