Monthly Archives: September 2013

When does a hardware firewall become justified?

Screen Shot 2013-09-14 at 7.28.27 PMIn a discussion some time ago, I had, the question was raised  “In a small business setup one server, lets say Server 2008 and anywhere from 4-12 client computers.”;   How many computers before you really need to fork over the cash, for a dedicated firewall appliance?

It seems to be commonly assumed that a dedicated firewall only provides enough benefits for a large network,  and that it is difficult to justify that for a small network.   Some people assume that small businesses don’t need a dedicated firewall;  or that a basic router,  or  offsite security service is adequate.    Given the inexpensive dedicated hardware firewall options,  and virtual appliances available…  today that assumption seems as flawwed as ever.

My contention;  is no network should be without one, even if there is just one PC.


To that my answer,   for several possible reasons,  a dedicated firewall unit can be justified: on the LAN

[1] When it comes to  Egress filtering  —  protection against internal intrusions,  for example filtering outbound traffic  to prevent an Employee  from leaking proprietary company information (data leak prevention), to control employee web surfing,  or to  prevent  Bob in IT  from IRC’ing while he should be working on the servers.     A dedicated firewall  managed and monitored with the help of an outside provider  or by a dedicated security team at arms length from workstation or server operators, can be a great thing.      There should be both a software and a dedicated hardware firewall;  for such environments —  security design should be determined by risks and possible impacts, not necessarily by the size of a network.

[2] The dedicated nature of an appliance based firewall helps reinforce that separation and deter internal attacks against it that might be attempted and succeed easily against a general purpose PC

[3] The cost to the business of a hacker intrusion can be significant, even if there are only 6 computers; it just takes one compromise for a hacker to obtain banking info.    Therefore;  it is not necessary to have a minimum count of workstations,  for a dedicated firewall unit to be appropriate.

[4]  Having a dedicated firewall unit offers a possibility for some measure of ‘Defense In-Depth’.  By having multiple layers of security you have a chance of minimising your exposure should one layer be compromised;  the idea is that the physical separation of the firewall reduces the chance that the firewall is compromised at the same time that a computer is compromised,  and if you configure two firewalls (one dedicated and one software firewall on each computer);  all the better —-  because you are less likely to make the same mistake twice:  or TWO people are less likely to make the same configuration mistake.     Therefore; a hardware firewall is appropriate,  even if all your windows computers come with software firewalls, or the Advanced Firewall feature.

[5] My next consideration is that most dedicated firewalls double up as a router by providing at the very least some NAT/PAT and port forwarding functionality;  which is needed to conserve IP addresses , or share the small number of IP addresses provided by the internet service provider  — that itself is nearly a firewall;   IPv4 addresses face exhaustion, and you are unlikely to avoid the requirement to have some device performing NAT at your boundary.  If you have to buy a router anyway then it makes a great deal of sense to pay up and have a device that contributes more to your security posture.

[6] Most modern dedicated firewalls (“Unified Threat Management” devices) provide filtering all the way up to the application layer.  This multi-layer filtering can be resource intensive and by offloading this filtering to a dedicated device it reduces possible performance impact and incompatibilities with the end user applications.

[7] Dedicated hardware firewalls are  often  ‘more secure’ than software firewalls, especially ones that run under minimalist hardware and with a hardened OS.



Student arrested for virtually shooting classmates in game

Gray, Louisiana


Real Strike 3D Augmented FPS app

An 15 year old young man has been arrested for using a smartphone app called the real strike app to “shoot” classmates at H. L. Bourgeois High School.  The app places a virtual gun and user interface over a real background seen through the phone’s camera: in the style of a first person shooter game.    A student tested out this application, and then regretably posted a video of it all on YouTube;  as an outlet for “getting back”  over bullying  the student was a victim of.  (authorities have since, had the video deleted).  Another student’s parent discovered the video on Youtube, and was upset: the parent reported the matter to police.

Authorities decided the student was a threat

Major Wolfe of the local police said, “You can’t ignore it. We don’t know at what time that game becomes reality. He said it was a result of him being frustrated and tired of being bullied. He said that he had no intentions of hurting anybody. We have to take all threats seriously and we have no way of knowing that without investigating and getting to the bottom of it. With all the school shooting we’ve had in the United States, it’s just not a very good game to be playing at this time.”

The Student faces the possibility of a long prison sentence

The unnamed student is now facing criminal charges for terrorizing and interference of the operation of a school.    The student now faces charges,  and the prospect of a prison sentence for: terrorizing and interference of the operation of a school.

For more on this, see the KSLA Article:   “Terrebone Parish teen arrested for using app to shoot classmates

and the WGNO Article:  “Student arrested for using phone app to ‘shoot’ classmates


It seems sad, that authorities and school officials can no longer distinguish a child’s fantasy from reality.


Sleep boosts brain cell numbers

Screen Shot 2013-09-04 at 9.59.16 PM

Sleep boosts brain cell numbers

In today’s BBC Health news:  there was a great article about new research, describing how sleep helps the brain.  The research suggests that ‘Sleep boosts brain cell numbers‘.    Getting enough sleep may have benefits: beyond what was previously thought.

When sleep boosts your brain cell numbers, you might live longer.    You might avoid disease,  or other problems.   This research provides yet another reason that getting plenty of sleep is probably a good idea.


Sleep found to enhance protection

In addition,  the article mentions other outcomes of sleep:

Sleep ramps up the production of cells that go on to make an insulating material known as myelin which protects our brain’s circuitry.

The findings, so far in mice, could lead to insights about sleep’s role in brain repair and growth as well as the disease MS, says the Wisconsin team.

The work appears in the Journal of Neuroscience;

Abstract: Effects of Sleep and Wake on Oligodendrocytes and their Precursors

Previous studies of differential gene expression in sleep and wake pooled transcripts from all brain cells and showed that several genes expressed at higher levels during sleep are involved in the synthesis/maintenance of membranes in general and of myelin in particular, a surprising finding given the reported slow turnover of many myelin components.

The article was also just mentioned in this discussion on Slashdot.


The art of abstraction

Computerphile recently did a cool video on the art of abstraction;  a fundamental concept required in the development and understanding of computation: