Software Firewalls: Is there such a thing anymore?

Discussion in 'other firewalls' started by CrazyM, Nov 16, 2002.

Thread Status:
Not open for further replies.
  1. CrazyM

    CrazyM Firewall Expert

    Feb 9, 2002
    BC, Canada
    Or are they all destined to become overall system security applications/suites?

    There was a time firewalls were considered something that simply controlled traffic between networks.

    As things evolved more features were introduced and the definition of “firewall” and what it is/does will likely vary depending on whom you ask.

    Application control became popular. Then the original leaktest demonstrated a possible need for application checksums. Later the more advanced leaktests demonstrated the potential for application hijacking and .dll injection. Some provide ad, cookie, active content and other privacy and content filtering. Most firewalls now provide stateful inspection and are introducing intrusion detection systems and sandboxing capabilities as well.

    The various vendor offerings provide this added functionality via components/features within the application, plug-ins or application suites. Add in to the mix the increased public awareness to computer security issues and the vendors catering to a broader user base than before.

    With all this capability comes added complexity. Do we want all our eggs in one basket, so to speak?

    Is there such a thing as just a firewall anymore?

    …food for thought and discussion.
  2. LowWaterMark

    LowWaterMark Administrator

    Aug 10, 2002
    New England
    Good question...

    You know, it's funny. When auditing networks in the business environment, one of the first things looked at is the firewall setup, of course. A key item checked is whether or not the firewalls, (in this case, so called "hardware" firewalls), are just running firewall software, or if they are also doubling as other network servers - i.e. handling IDS, proxy, or worse yet, sendmail and other network services.

    In the purest sense, the idea is that a firewall should do just one function, to keep it from being too complex to maintain, and to prevent the introduction of additional potential security holes, (such as all the holes in sendmail, for example). Yet, in the home environment, we see the "software firewall" becoming that all encompassing security suite you mentioned.

    You have to wonder if the software firewall vendors are up to the task of handling all aspects of security for that computing environment, which itself is becoming more and more complex as more powerful OS' are being used in the home (such as XP). From what I've seen so far, I really have to wonder if a single software suite can do all this.

    Hmm - I guess I didn't answer the question...
  3. JacK

    JacK Registered Member

    Jun 20, 2002
    Belgium -Li?ge
    Hi ,

    AFM I prefer a FW doing only its real job : Filtering IN and OUT, nothing more, nothing less and I am using other dedicated apps for anything else, like popups, referrers filtering, etc...

    I run KPF v2.1.4 and I don't thing I shall change for KPFv3 : seems to become a bloated software like many others for marketing purpose.

  4. root

    root Registered Member

    Feb 19, 2002
    Missouri, USA
    I think it's a personal preference thing. Some people take the purist stance like Jack, others like me prefer an application that does the firewall job first of all and as an added benefit, it will do some filtering and content control also.
    Please do not take away from a firewall application its ability to do a top rate job as a firewall, just because it has added features. The firewall has to give up nothing to function in a multiple use environment.
    Lets look at the eggs in the basket concept. First of all, 99.9% of the time, applications don't just quit functioning for no reason. When they do quit functioning, there is usually some indication.
    Now, let take an example. Say bugbear gets on a computer and shuts down Outpost. You loose your firewall, ad filtering, cookie control, and DNS cache.
    So what! If I've lost my firewall, thats all that counts. At this point in time, I am not worried about ads and cookies. As a matter of fact, if I cruise to a website and see a bunch of ads, then that might be the first thing to alert me to the fact, I've lost my firewall.
    The concept of putting all your eggs in one basket comes into play it you take a single program and have it as the "only" program on your computer to protect you from viruses, worms, trojans, keyloggers, and all other malware.
    Also, in these multiple use programs, such as Outpost, at least, the added features are plugins, and can be unloaded if you want. You can use some, none, or all.
    I once went the route of having an AV, AT, Firewall, cookie program, ad filter program, host file, and I can't remember what else. Since I combined a few of those things with Outpost and use an AT, AV, and registry watcher, I will stack my security up against anyones on this board.
    And I don't use near the resources I used to.
    Just my .02. :D
  5. jvmorris

    jvmorris Registered Member

    Feb 9, 2002
    Oh, I suspect they are. At this late date, it is a bit difficult to remember when line editors became text editors, and then became word processors. Perhaps, more to the point is how quickly we forget all the things that we now take for granted as normal word processing functions were once handled by separately utilities: Spelling checkers, grammar checkers, outliners, desktop publishing, indexing, ToC generators, web-page publishing, integral graphic and draw functionality, and tables and math (to name only a few!) were all at one point provided by add-on utilities. And, of course, this has now led to the provision of Works and Office suites which incoporate even more functions.
    Well, of course, that had pretty much evaporated as a concept by the time the masses started using software firewalls! (I think you probably know that better than I do inasmuch as I didn't show up on this particular scene until late 1999.)
    Yes, that's the question -- and for a very good reason. Specifically, software firewalls are now becoming a mass-market phenomenon -- much like word processing, anti-virus, etc., did (now well over ten years ago). The simple fact of the matter is more limited to marketing considerations than to anything else. After all, there's only so far that one can go with market development (and revenue generation) by constantly refining and enhancing the basic functionality (or improving 'ease of use', for that matter)-- and that statement applies as well to 'firewalls' as it does to word processors and anti-virus products. Consequently, one begins to expand the definition of what constitutes 'expected' functionality. (And some vendors are quite good at this.)

    Still, and especially with regards to security products, is this necessarily a good thing? Well, our (and we are, after all, the market) response to that varies. Some people like that common interface to all sorts of different things, with (what was once) different functionality provided by different applications now being provided in a single brown wrapper. Others are worried by precisely the same thing! After all, here we're talking about security enhancement products. And many of us not only prefer layered defenses, we prefer the layering of different solutions (and solution strategies) provided by different vendors.

    Oddly, one thing that very seldom gets addressed is the multiplicity of choices. If one can choose a 'firewall' from any of a half-dozen vendors, choose an AV (or AT) from another half-dozen vendors, another half-dozen for file authentication, another half-dozen for keyloggers, another half-dozen for ... (well, you get the idea), then it becomes a major nuisance for a 'cracker' to contend with all the possible combinations and permutations of possible security measures. However, once we go to 'suite' solutions, it seems almost inescapable that one will achieve significant market dominance (much as Microsoft has done not only with Windows, but also with Microsoft Office). At that point, the 'cracker's' problem is immensely satisfied -- for the most part they only have to 'crack' one product line from one vendor. Voila!! No more nasty combinations and permutations to worry about!

    Finally, I see one other problem with security vendors moving into mass-market and trying to continue to not simply remain profitable but to achieve dominance in the market. Now, this one is a bit difficult to explain, so please bear with me for a moment. In my opinion, it's much easier for a security vendor to start incorporating rather peripheral functionality like 'intrusion detection', 'packet sniffing', 'traceback' and 'automatic forwarding of suspected intrusion attempts' and thereby obtain both continuing profits and market dominance than it is to start addressing some of those 'tough to handle' pure (software) firewall issues. Rather obviously, the extent to which the (software) firewall vendors are going to start addressing IPv6 (and its protocols and associated vulnerabilities), or even simply protocols other than TCP/UDP/ICMP/IGMP, never mind the little arcane details like non-standard TCP flags or ICMP Message Codes (no, not Message Types). Let's be honest, just how many additional packages are they going to sell (today, not next year) by getting into arcana which most of the buyers (that's us, again) have never heard of (and probably couldn't conceivably evaluate)? Indeed, more than anything else, the current situation rather reminds me of the late 50s and early 60s (and since) in the (American) automotive industry. We didn't get rack and pinion or ABS or seat belts or air bags or even safety glass because it sold cars -- we got it because a Government (somewhere) mandated it!
    Oh, of course there is! And there always will be. After all, much as it is maligned, there is always a portion of the consumer market that will choose to put its money into that oft-maligned concept of "security through obscurity". (I must note my own inclination to buy standard transmission autos, for example, as being partly due to the fact that so few car thieves these days know how to drive them!) What "cracker" is going to waste his or her efforts on 'cracking' an obscure firewall implementation that, in fact, is only used by a very small portion of the market when a few simple vulnerabilities are readily sufficient to exploit the 'vast, unwashed' or those who rely exclusively on the 'most popular' security solutions?
Thread Status:
Not open for further replies.