From: Odd H. S. <the...@ru...> - 2005-05-31 16:46:27
|
On Tue, 31 May 2005 09:46:30 -0500 Jay Maynard <jma...@co...> wrote: > On Tue, May 31, 2005 at 04:32:02PM +0200, Odd H. Sandvik wrote: > > On Mon, 30 May 2005 21:23:43 -0500 Jay Maynard <jma...@co...> wrote: > > > On Tue, May 31, 2005 at 12:05:09PM +1000, Andrew McGlashan wrote: > > > > ZA is a 'personal firewall' -- there is a place for personal firewalls, but > > > > I prefer Kerio myself (at least on Window boxen). > > > ZA is a personal software monitor, not a firewall. It cannot keep packets > > > from reaching the target machine. > > Sure it can. Along with blocking apps on the host OS, you can set up > > rules similar to IPCop. > > Yeah, but those rules are *on* the target machine, and thus don't come into > play until the packet has reached the target machine. ZA can stop packets > from getting to apps on the target machine, but it cannot stop packets from > getting to the machine itself and its IP stack - and if those packets > exploit bugs in the IP stack, you're wide open. The same could happen to a Linux firewall protecting a LAN. What happens when that Linux box is compromised? Think of it as layered security, with the Linux box one step above the personal firewall. > A firewall doesn't allow packets to go to any machine that it's not set up > to pass them to. The target machine never sees the packets with the exploit. > > > Now, a dedicated firewall appliance like IPCop will ofcourse be more > > immune to hijacking and user errors that could jeopardize a personal > > firewall. But make no mistake, they are both firewalls, only serving > > different markets. > > Nope. I think you'll find that your objection to the term "personal firewall" isn't in tune with the industry, resources on the net, or the popular definition of it. Just google it: http://tinyurl.com/aovwn -- Odd H. Sandvik |