Hi! For better understanding firewalls here's something about the mechanisms - not to confuse somebody, but to show the difference. A windows "personal firewall" has nothing to do with a linux firewall (only the xp pers-fw using simmilar techniques).
I've found an interesting Program to check firewalls. It demonstrates the ability to connect to internet via other programs which are allowed to connect. (Trojan Horses) Is it possible to block the program from accessing the internet via a stand-alone router ?
A securely configured firewall only let's your pc's connect to the internet - nobody else, if not wanted. The portfilter filters well known (0-1024) and unknown (1025-65535) ports, protocols tcp, udp, igmp [...] nat, snat [...], connectiontracking (http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html) and routes networks. Not more not less (e.g. smoothwall without any extra-services)!
From here you will say everything is equal as it looks, but can you pers fw filter Ethernet-addesses or do traffic-accounting?
The above software is maybe a nice check, but looks like fake - it talks only about internal security of windows and wants to sell a product (http://www.pcinternetpatrol.com/downloads/ind.php). Normally the simple XP personal Firewall (an example of a simple connection tracking fw) and a virusscanner are enough for single-home-pc-users. If you have DSL or more than 1 pc you choose a firewall. If you want to check your firewall use GFI Languard or other checking-software testing for exploits. The big plot is, that IE is the biggest hole in security (and strange "third-party-plugins"). If you allow IE to access internet (without a dll-check) you allow a lot. Next you can program a software to directly close a popup, after it appears and always say yes to any question (i think with window-handler). There are many many more reasons, why a personal firewall will not work that secure...this is used by such pseudo-testers. Why is a firewall secure? Not because of the fact, it blocks ports: Because it is not build inside a pc (no one except the admin knows what's running on it and how he setup the box)! Most people mistake linux-based firewalls with Personalfirewalls on Windows. Personal Firewalls on Windows are no real security, because they run on the same box, the OS runs on and have more or less the same security the OS has or see the small example for IE (above). It is a nice thing to have a personal firewall, kerio does work nice and has implemented nice features: md5 checks for apps, check which software access internet and checks which 3rd party is used to access the internet combined with a simple web-content-filter. In larger companies that is not enough - you cannot rely on a firewall, that is installed on each pc (even if ms makes you believe). You can get this security features on modern firewalls combined with other software: WWW: - transparent-proxy-filtering: squid -> dans-guardian -> lan ("good site" access, "bad site" denied) Webaccess cannot be gained without the filter, because the firewall redirects www-port. - webproxy with virus-filter: squid -> dans-guardian -> AV-Engine -> LAN (filter good and bas sites, scan virus) SMTP: postfix or any other mail-server & av-scanner & spam-filter Samba (not on firewall or in DMZ): smb-vscan (av-engine for samba, but experimental) Services: A Firewall shall only run the services, it minimal needs (e.g. ssh, squid, smtp, caching-dns, dhcp). Security of the firewall: kernel without lkm, no compiler, no make ... or on a separate storage for installation/update only (e.g. usb-stick) chroot services (http://www.ss64.com/bash/chroot.html) capabilities - kernel access rules denying even for root, if desired (even available for high costs for windows) ids - check, if something changes (most times included in persfw) depending on the level of security: report critical data via sms - be up2date switches or connectors with port learning function (hardware-solution) a firewall before your firewall (double-nat) [...] There are several other approaches, e.g. a firewall with an authentification-system: http://www.nufw.org/ For linux I saw somewhere even an app-based firewall like the personal fw's (don't know, if this works).
Ok - this was a clear point. And what about standalone firewalls (i.E. SuSE Firewall) ? I think, to block such internet access is only possible with an client-based firewall, which knows the programs and dlls which are allowed to access the net ?
http://www.it-analysis.com/article.php?articleid=8773 http://news.zdnet.co.uk/hardware/emergingtech/0,39020357,2099013,00.htm The personal firewalls try to do the same thing a secure linux-server does and make you think it has the same security-level. No it has not, neither knows windows nothing about any of this features (or it will be very expensive)! If you like install it as extra benefit, but don't trust on it 100%. Simple in-a-box firewalls for dsl have most of this security-benefits build in, but have to be up-to-date - some have even dans guardian inside.
The important point IMHO is to teach users not to download programs from the internet without thorough checking of the intention of the program. And of course not to click on suspicious links or open Email Attachments.
<fun-tag> Or much more easy in one step, let them sign terms of use for your network. Make them frightened and tell something of: "In case of damage, caused by a client the client has to pay." :-) </fun-tag> Well that will not work (there are too much tele-tubbies).
I think the only posibility to avoid such dangers is to prevent users from downloading ANY program ;-) This little demo program works without installing it :-/
Nothing easier, than this: Install Dansguardian and block your desired Extensions (e.g.: .exe, .com, .zip, .pif, .xls, and dot-whatever). If you want to have less work with your users: No CD, DVD & Floppy in any PC (don't forget to disable USB and to protect the bios with pw), use Corporate-AV-Solution and Dansguardian & av-plugin. I know this is unfair, but the question is, what costs more? Philippe