…even if you have a hardware firewall/NAT/whatever.
Larry Osterman has a great post “Firewalls, a history lesson,” in which he makes an analogy to the first world war. An interesting read.
I should take up this fight with my colleagues again. They all think I’m crazy for running as a low-privileged user and having the XP SP2 software firewall on, but when one of the salesmen brings their horribly-infected notebooks into the office for me to disentangle, I’m glad of it.
I remain unconvinced of the merits of a two-way firewall: the trick is not to get the malware onto your PC in the first place. Two-way firewalls are pretty annoying whenever there’s a change to the client software you use; you only have to configure an incoming-only firewall when there’s a change to the services you provide. There’s a common problem in computer security – ensuring that you don’t train the user to just click ‘Yes’ all the time. That’s why the ‘enter root password for elevation’ prompts in Mac OS X worry me, especially since there doesn’t seem to be a way for the user to validate that the prompt came from a secure subsystem rather than J. Random Malware. I’m actually happier that the initial plan for Windows Vista is that “Consent Admins” will default to being presented simply with a dialog explaining the elevation, to which you click Permit to elevate or Deny to refuse.