Re: to PFW or not to PFW

On Tue, 31 Jan 2006 18:14:51 +0000, Juergen Nieveler wrote:

> Nicholas DePetrillo <nick_usenet@oshean.org> wrote:
>
>> You can never have a 100% effective firewall/filter, you can only do
>> risk mitigation. The more risk mitigation the safer you are. If that
>> means putting layers of security between you and the rest of the world
>> thats fine. One of those layers might as well be a PFW/Packet filter.
>
> Another way of mitigation is offering less that actually can be
> attacked.
>
> If there's no service listening and the port just says "closed" in
> tests, nobody can exploit it unless the whole IP stack is broken. IF
> the IP stack is broken, however, no personal firewall on top of the IP
> stack can protect you.
>
> The best protection is a) to use a router with NAT and port filtering,
> and b) to disable all unnecessary services on your machine.
>
> Juergen Nieveler

That is a very good point.

A layered security approach is always
preferred. Disabling those unnecessary services is key in some
Linux distributions (I think Debian comes default with a lot of the inet.d
stuff turned on, I use Gentoo myself) and especially in Windows.

However, these days in Windows putting yourself behind a router with NAT
just won't cut it. A lot of the most recent attacks on Windows have been
client side not remote (WMF). I think you will see a lot more of that
happening as Windows cleans up its act and secures itself as much as it
can on the network side, people will try to exploit the local applications
more.

-- 
Nick DePetrillo
Network Security Engineer
OSHEAN
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x121245B5