Re: F-Secure and PostgreSQL

Konsta Tiihonen wrote:

> As several posters in some forum(can't remember which, the thread was more than a year old) pointed out, this issue is especially related to F-Secure, so, if I wanted to spend another couple of bucks on other antivir software, this might be resolved - they said they had it running smoothly while having Zonealarm active.
>
> do you know of any sources investigating security of windows' own firewall, since you do not seem to be worried about securing a windows pc with just the standard firewall.

3rd-party single host software firewalls are a left-over from win98 days
when the OS was full of gaping remotely exploitable security holes and
had lots of services listening by default.

In my experience and based on the security history the Windows firewall
is just fine. Don't take my word for it, though - check for CERT
advisories involving the windows firewall, search MSDN, etc.

Personally, the only reason I see for adding a 3rd party host-based (ie
non-routing) firewall to ANY modern OS is if you want to support egress
filtering & monitoring or have complex per-interface rules. For anything
more complex than simple ingress filtering I'd want a dedicated (in my
case Linux-based) firewall/router box anyway.

I don't see the point of single host egress filtering myself, as
anything that's trying to initiate outgoing connections is already able
to do pretty much whatever else it wants within its local privelege
level. Like (on Windows) spawn a hidden MSIE window and submit a web
form. The horse has bolted.

Avoiding 3rd party firewalls also saves you money and a great deal of
pain caused by their profusion of bugs, incompatibilities, and dodgy
hacks. It's also one less probably buggy program that might be exploited
by an attack over the 'net.

Even if you want an add-in firewall on some machines (say, business SOE
systems if you don't like your users or tech support staff) using one on
a system with a database like PostgreSQL seems like an unusual choice. I
would personally avoid having a resident virus scanner too, as they're
as bad as or worse than add-in firewalls for causing problems. Then
again, I don't execute untrusted code downloaded off the 'net.

If you do remove your 3rd party firewall you may need to manually
re-enable the windows one. Additionally, they sometimes leave the IP
stack in a rather messed up state, so you might need to run:

netsh interface ipv4 reset

(on XP a logfile path argument may need to be appended)

On a side note, I would personally want to use a UNIX/Linux based DB
server for anything but development work anyway.

--
Craig Ringe