Comments on: Don’t use software firewalls: Good advice or bad? https://dfarq.homeip.net/dont-use-software-firewalls-good-advice-or-bad/?utm_source=rss&utm_medium=rss&utm_campaign=dont-use-software-firewalls-good-advice-or-bad David L. Farquhar on technology old and new, computer security, and more Mon, 10 Oct 2011 18:04:34 +0000 hourly 1 By: robohara https://dfarq.homeip.net/dont-use-software-firewalls-good-advice-or-bad/#comment-7532 Mon, 10 Oct 2011 18:04:34 +0000 https://dfarq.homeip.net/?p=4322#comment-7532 This is an interesting post. I’ve never really heard the argument that hardware firewalls are intrinsically better than software-based ones, and I’m not sure that I agree with it. I think that hardware-based firewalls are probably, as a whole, better “out of the box” than software-based ones. From a security point of view, it would be better if, when either one fails, that they fail to an “all-closed” state rather than an “all-open” state, and maybe that’s one difference between the two. I’d rather come home and find all ports blocked rather than all ports open.

The biggest problem with firewalls is that, to make your network useful, you have to poke holes in them. The best firewall in the world won’t stop a SQL Injection attack, because by design, SQL is allowed through the firewall. Combine that with the approach that many corporate firewalls seem to take (“everything outbound is okay”) and you can set yourself up for bad news with a strong case of false security.

Firewalls are a great way to explain the security triangle (secure/usable/cheap) to people that don’t understand the concept. 😉

]]>