所谓的个人防火墙怎么样？有什么好处？ 中国长城防火墙的好处

答：尽管它们能提供一些有限的保护，软件或个人防火墙有很多弱点。无论产商如何保证，现在还没有什么软件产品可以保护你免受所有类型的攻击，也没有避免"内部"的安全威胁，即你或使用你的电脑的人自己运行了一个控制了电脑并修改了防火墙设置的软件。但我们强烈推荐使用硬件防火墙，在大多数情况下，有软件防火墙好过没有防火墙，因为关闭许多windows捆绑的不安全的服务是有难度的。下面我们将列出个人防火墙的好处和坏处。

好处

个人防火墙可用来防止某些windows内嵌的很难终止甚至无法终止的服务，如NetBIOS。
个人防火墙可防止某些拒绝服务的攻击，主要是由于假装无法到达而断开（也称为点击click）。这大概是它对安全最重要（有人说是惟一）的贡献了。
个人防火墙可以堵住你疏忽的电脑安全漏洞，例如文件或打印共享或FTP后台程序。不过，你不要依赖个人防火墙，而应该检查你的安全设置（试试Shieldsup!）修复这些漏洞就行了。
这个谈不上是好处了。个人防火墙可以阻断某些特洛伊木马，例如防止"打电话回家"或连接过来的可能攻击，但这曲解了安全的意义！特洛伊木马已经能修改个人防火墙的设置，这将成为其典型的行为。惟一有效的防止方法是完全避免不信任的软件，并用最新的防病毒软件扫描已经信任的软件。就算这样，浏览器和邮件管理软件中还是不幸地普遍包含了易受攻击的动态代码，让你的电脑暴露给病毒或特洛伊木马。虽然没有一个防火墙可以完全避免内部攻击，专用的硬件防火墙在阻断特洛伊木马方面强多了。尽管如此，你应该警惕的是，特洛伊木马会伪装它的网络流量，以便不受影响地像合法流量一样通过防火墙，甚至附加或融入一个合法访问internet的应用程序界面，这样绕过了一些个人防火墙的"某个应用软件允许"的限制。
个人防火墙让其它软件进行端口漏洞扫描时遇到麻烦，它阻止通常已关闭端口的RST回应，扫描软件将花时间等待，直到连接超时。个人防火墙还通过禁止ICMPECHO回应（即ping指令）阻止自动扫描活跃主机。

坏处
由于个人防火墙运行在被保护的电脑上，它可以被重新配置、禁用、或被电脑里面的其它恶意软件破坏。
个人防火墙不能保护你避免严重的攻击，因为它不过是运行于线路末端的相对慢连接，而不是在ISP的高带宽的那一端。设想一条河要泛滥了，你必须在加高河岸。否则，当10英尺的洪水围住你的房子时，你要在大门前堆积沙包已经无济于事了。重点就是这里了，我重复一下：不管你家里的软件或硬件有多聪明，你也挡不住洪水的袭击。
个人防火墙很烦人的。它把正常的后台通讯当作有害的活动，搞得个人防火墙的用户很恐慌，导致ISP的麻烦大增，只要有人运行一个根本无害的ping指令，ISP就会收到没完没了的"攻击"报告。
个人防火墙不是即插即用的工具，不是你可以下载、运行然后就高枕无忧的。你要花时间设置，你要有足够的计算机经验，还要不断地配置、更新以对付新的攻击方式。
个人防火墙经常妨碍合法的网络活动。虽然大部分防火墙默认情况下允许浏览网站，但你要配置它识别DCC,identd,ICQ, 网上游戏等等。
个人防火墙不会阻止、发现、清楚传统的没有网络活动的病毒，那是防病毒软件的功能。例如，你的邮件附件有病毒，你的防火墙会让它通过，因为邮件传递是合法的，即使你运行了会删除硬盘的病毒，病毒会执行的，因为防火墙不会监控没有网络流量的活动。
很多ISP不支持个人防火墙。例如，RoadRunner要求在提供任何高级技术支持时用户要完全卸载个人防火墙。它们只会引起太多头痛的问题。事实上，在呼叫支持前，用户排除故障的第一步就是确认没有收到防火墙的干扰。
有些软件运行时会探测网络连接是否还有效，阻止这些探测会导致连接中断。
阻止已关闭端口的TCPRST回应有副作用，任何要连接到这些端口的过程需要相当长的时的邮件、ftp、IRC服务器，它们需要很快地确认连接是否成功。

需要更多的信息，可参考"家用电脑防火墙指南"，或更多的"个人防火墙评论"（外部连接）。绝大多数的商用个人防火墙价格在$30以上不等，通常有额外的每年"升级"许可费。注意windowsxp已经有"internet连接防火墙"。

Q: What about the so-called personal firewalls? Are they anygood?

A: While they can provide some limited protection, softwareor
personal firewalls have many weaknesses. No matter what the
manufacturer of any personal firewall would like you to believe,there
is no software product which will protect you against all typesof
attacks, nor from an "internal" compromise, that is, if you(or
somebody else with access to your PC) run software on yourmachine
which takes control of that machine and subverts the firewall.While
we STRONGLY recommend that a hardware firewall be used, inmost
circumstances, you are better off with a software firewall thanwith
no firewall, due to the difficulties in closing off the manyinsecure
services bundled with Windows. We will list the pros and cons ofusing
personal firewalls below.

Personal firewall PROs

· A personal firewall can be used to preventaccess to certain
services built into Windows which are notoriously difficult oreven
impossible to disable, such as NetBIOS.

· A personal firewall can prevent certain DenialOf Service
attacks, most notably disconnects due to spoofed unreach aka"click" -
this is perhaps its most important (and some would say onlyunique)
contribution to your security.

· A personal firewall can block inadvertent holesin your
computer's security if you unintentionally leave open services suchas
file or print sharing or an FTP daemon. Instead of relying ona
firewall, however, you should check your security (try the ShieldsUP!
site) and just fix these vulnerabilities.

· This is barely a pro at all. Personal firewallscan block
the action of certainTrojan horses, by preventing them from"phoning
home" and by preventing a would-be attacker from connecting tothem,
but this is false security! Trojan horses can alreadycircumvent
personal firewalls, and this will become typical behavior. Theonly
effective protection against trojan horses is to totallyavoid
untrusted software, and scan even "trusted" software with an
up-to-date virus scanner. Even then, active scriptingvulnerabilities
which are unfortunately common in popular browsers and mailprograms
may still expose your system to viruses or trojan horses. Whileno
firewall can totally protect against an attack from within,dedicated
hardware firewalls stand a much better chance at blocking atrojan's
activity. Even then, you should be aware that a trojan candisguise
its network traffic as legitimate traffic to pass through afirewall
unaffected, or even worse, can attach to or interface with an
application which is normally allowed to access the internet,
circumventing the "per-application" restrictions in certainpersonal
firewalls.

· A personal firewall can make it impractical forothers to
port scan you to identify your vulnerabilities. It does so bymaking
scanning more time consuming, by preventing the usual RST responseon
closed ports so that the scanner has to wait for theconnection
attempt to time out. The personal firewall can also defeatautomated
scanning for active hosts by disabling ICMP ECHO replies (aka
"pings").

Personal firewall CONs

· Since a personal firewall runs on the samecomputer as it
protects, it can be reconfigured, disabled, or otherwise subvertedby
malicious software running on your computer.

· Personal firewalls cannot protect you againstserious

relatively slow connection, rather than at the ISP'shigh-bandwidth
side. Consider if a river is threatening to overflow, you have totry
to stop the flood with barriers at the river banks. If you don'tdo
that, by the time 10-foot flood waters surround your house,it's
useless to try to stop it just by sandbagging your front door. Thisis
a very important point, so let me repeat it: No matter whatclever
software or hardware you run at home, you will always be vulnerableto
flood attacks.

· Personal firewalls are very noisy. They reportnormal
background traffic as harmful activity, leading to panic amongusers
of personal firewalls who in turn cause a great deal of grief forISP
abuse desks, who now receive endless reports of "attacks" everytime
someone executes a totally innocuous "ping" command.

· Personal firewalls are not a "plug and play"magic fix that
you download, run, and forget. They take time to set up, canbe
confusing to people without a lot of computer experience, andrequire
constant configuring and updating to adapt to new attacks.

· Personal firewalls often get in the way of yourlegitimate
network activity. Although most firewalls are configured by defaultto
allow things like web browsing, they may need to be taught aboutDCC,
identd, ICQ, net gaming, etc.

· Personal firewalls cannot block, find, or removetraditional
viruses which do not generate any network activity; that is therole
of virus-scanning software. For example, if you get an emailvirus
attachment, your firewall will let it through since email by itselfis
an allowed activity, and if you run the virus designed to eraseyour
disk, it can still do so, since that doesn't involve anynetwork


· Many ISPs won't support users with firewalls.For example,
Road Runner requires firewalls be totally uninstalled beforeany
advanced technical support. They just create too many support
headaches. Indeed, the first troubleshooting step for a user witha
firewall should be to make sure the firewall isn't interferingbefore
calling support.

· Some providers legitimately perform certainprobes to
determine if a connection is still active. Blocking these probescould
cause you to get disconnected.

· Blocking TCP RST replies on closed ports has theside effect
that any connection attempt to a closed port takes an extremelylong
time (sometimes over a minute) to fail. This can affect mail, ftp,and
IRC servers which attempt to make an identd connection, and expectit
to succeed or fail quickly.

For more information, see the home PC firewall guide and thismuch
more critical view of "personal firewalls" [ext. links]. Almostall
reasonably adequate personal firewalls are commercial softwarecosting
anywhere from $30 to much more, often with additional annual"update"
license fees. Note that Windows XP comes with its built inInternet
Connection Firewall.

爱华网本文地址 » http://www.aihuau.com/a/25101014/212092.html