Hi John, I am aware that the firewalls do contain some software and also that they can be exploited. My argument is that they are harder to exploit, don't contain the software myriad dependencies that may open up exploits, don't need constant software upgrades and are single task focussed to one job allowing greater security. They are also a quick, cheap and justifiable (to both a client and if you are taken to court) way of protecting a clients stuff from external intrusion.
I searched the web for exploits on the FM114p which is the lowest end of the lowest end (they don't get much cheaper). There were two main exploits. One of them required you to open up the firewall for remote administration (which of course is always hackable by brute forcing of passwords etc) and also enable universal plug and pray UPNP. Anyone who enables UPNP after being consistently told how stupid it is to do that and what kind of M$ exploits are available deserves to be hacked. This was the only external intrusion I saw listed. The other exploits were all very theoretical or involved internal users trying to get around content filtering, website filtering etc. Most of these exploits were things all firewalls (hardware and software) have in common and were not specific to the hardware firewall or FM114P. (e.g. if you block Ilovesexxx.com and a user says go to it's ip instead (eg 166.45.234.22 ) then it let you through). Like other firewalls you just build up your list. The other exploits were sending bogus ips to be logged from an internal acocunt and having the bogus logs have some malicious code that an M$ programe might run and cause damage with. The exploit is not the firewalls, it is the client used to read the logs. I repectfully stand by my statement that, 'Hardware firewalls cannot be ***-->software cracked<*****, are fast and don't absorb CPU time.' No buffer over runs to deal with, no malicous code to defend against, no twisted urls sending you haywire or dependency changes opening you up to problems. They are still in my opinion an excellent idea especially if things like IP cop are driving you around the bend. Besides which, nothing will ever be 100% secure. <opinion> For me if IPcop was causing problems, I was risking my reputation getting tarnished by repeated visits to client sites and it had taken me or would take me longer than three hoursto fix then I would do my client a favour, save them money and buy some hardware. Three hours of IT expert time at $80 (low end of the it market) per hour spent lookng for or resolving problems is better spent once off on a sure fix than spent trying to possibly resolve a problem. Business love pragmatism. </opinion> Cheers, Shane On Tue, 29 Jul 2003 02:18, you wrote: > On Tue, 29 Jul 2003, Shane Hollis wrote: > > Hardware firewalls cannot be software cracked, are fast and don't absorb > > CPU time. > > While I'm using DSE's > > http://www.dse.co.nz/cgi-bin/dse.storefront/3f25d83f0b832842273fc0a87f9906d >f/Product/View/XH1149 quite happily, I'm under no such illusion. > > All a H/W one is an embedded computer vulnerable to exactly the same > problems. The only difference is it is slightly harder to crack and more > difficult to fix once somebody has cracked it. > > But I will agree it is nice, just plug in the ethernet cables, (its a hub > as well), configure via your web browser and go. Luvly. Fast and utterly > pain free. > > 'till I get stung by someone cracking the thing and using it as a spam > relay... > > John Carter Phone : (64)(3) 358 6639 > Tait Electronics Fax : (64)(3) 359 4632 > PO Box 1645 Christchurch Email : [EMAIL PROTECTED] > New Zealand > > A Million Monkeys can inflict worse things than just Shakespeare on > your system. -- Shane Hollis Notes Unlimited New Zealand Ph: 021 465 547 Email: [EMAIL PROTECTED]
